cpflow 4.1.1 → 5.0.0.rc.0

data/lib/generator_templates/Dockerfile

@@ -1,23 +1,79 @@
-FROM ruby:3.1.2
+ARG RUBY_VERSION=__RUBY_VERSION__
 
-RUN apt-get update
+# Node and Ruby base images share the same Debian release so that glibc, libssl, and
+# other system libraries line up between stages.
+FROM docker.io/library/node:22-bookworm-slim AS node
+FROM ruby:$RUBY_VERSION-slim-bookworm
+
+# Yarn Classic / pnpm fallbacks for projects that haven't adopted corepack via
+# `packageManager` in package.json. Override at build time (`--build-arg=YARN_CLASSIC_VERSION=...`)
+# rather than editing this file so regenerating the Dockerfile keeps your pin.
+ARG YARN_CLASSIC_VERSION=1.22.22
+ARG PNPM_FALLBACK_VERSION=9.12.3
 
 WORKDIR /app
 
+# Keep Node.js available both for asset compilation and for SSR runtimes that
+# rely on ExecJS in production. Narrowed to just what the node stage actually
+# ships under /usr/local so we don't drag in unused Debian libs from that image.
+COPY --from=node /usr/local/bin/node /usr/local/bin/node
+COPY --from=node /usr/local/bin/npm /usr/local/bin/npm
+COPY --from=node /usr/local/bin/npx /usr/local/bin/npx
+COPY --from=node /usr/local/bin/corepack /usr/local/bin/corepack
+COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
+COPY --from=node /usr/local/include/node /usr/local/include/node
+
+# Expose Corepack-managed shims so later build steps can call yarn/pnpm
+# directly during asset precompilation hooks.
+RUN printf '%s\n' '#!/bin/sh' 'exec corepack yarn "$@"' > /usr/bin/yarn && \
+    chmod +x /usr/bin/yarn && \
+    printf '%s\n' '#!/bin/sh' 'exec corepack pnpm "$@"' > /usr/bin/pnpm && \
+    chmod +x /usr/bin/pnpm
+
 # install ruby gems
 COPY Gemfile* ./
 
 RUN bundle config set without 'development test' && \
-    bundle config set with 'staging production' && \
+    bundle config set with 'production' && \
     bundle install --jobs=3 --retry=3
 
 COPY . ./
 
+# Install JavaScript dependencies only when the project actually has them.
+# Pin `packageManager` in package.json to take the corepack path and avoid the
+# YARN_CLASSIC_VERSION / PNPM_FALLBACK_VERSION fallbacks below; the fallbacks exist for
+# projects that haven't adopted corepack and should be reviewed periodically as they go stale.
+RUN if [ -f package.json ]; then \
+      package_manager="$(node -p "require('./package.json').packageManager || ''")"; \
+      if [ -f yarn.lock ]; then \
+        if printf '%s' "$package_manager" | grep -q '^yarn@'; then \
+          corepack prepare "$package_manager" --activate && \
+            (corepack yarn install --immutable || corepack yarn install --frozen-lockfile); \
+        else \
+          npm install -g "yarn@${YARN_CLASSIC_VERSION}" && \
+            (yarn install --immutable || yarn install --frozen-lockfile); \
+        fi; \
+      elif [ -f pnpm-lock.yaml ]; then \
+        if printf '%s' "$package_manager" | grep -q '^pnpm@'; then \
+          corepack prepare "$package_manager" --activate && \
+            corepack pnpm install --frozen-lockfile; \
+        else \
+          corepack prepare "pnpm@${PNPM_FALLBACK_VERSION}" --activate && \
+            corepack pnpm install --frozen-lockfile; \
+        fi; \
+      elif [ -f package-lock.json ]; then \
+        npm ci; \
+      else \
+        npm install; \
+      fi; \
+    fi
+
 ENV RAILS_ENV=production
 
 # compiling assets requires any value for ENV of SECRET_KEY_BASE
 ENV SECRET_KEY_BASE=NOT_USED_NON_BLANK
 
+__ASSET_PRECOMPILE_HOOK_RUN__
 RUN rails assets:precompile
 
 # add entrypoint

data/lib/generator_templates/controlplane.yml

@@ -1,62 +1,50 @@
 # Keys beginning with "cpln_" correspond to your settings in Control Plane.
+#
+# Generated baseline for a Rails app that uses PostgreSQL in production.
+# Rename the app keys below if you want something other than the repo name.
 
-# You can opt out of allowing the use of CPLN_ORG and CPLN_APP env vars
-# to avoid any accidents with the wrong org / app.
 allow_org_override_by_env: true
 allow_app_override_by_env: true
 
 aliases:
   common: &common
-    # Organization name for staging (customize to your needs).
-    # Production apps will use a different organization, specified below, for security.
     cpln_org: my-org-staging
-
-    # Example apps use only one location. Control Plane offers the ability to use multiple locations.
-    # TODO: Allow specification of multiple locations.
     default_location: aws-us-east-2
+    setup_app_templates:
+      - app
+      - postgres
+      - rails
 
-    # Configure the workload name used as a template for one-off scripts, like a Heroku one-off dyno.
     one_off_workload: rails
-
-    # Workloads that are for the application itself and are using application Docker images.
-    # These are updated with the new image when running the `deploy-image` command,
-    # and are also used by the `info` and `ps:` commands in order to get all of the defined workloads.
-    # On the other hand, if you have a workload for Redis, that would NOT use the application Docker image
-    # and not be listed here.
     app_workloads:
       - rails
-
-    # Additional "service type" workloads, using non-application Docker images.
-    # These are only used by the `info` and `ps:` commands in order to get all of the defined workloads.
     additional_workloads:
       - postgres
 
-    # Configure the workload name used when maintenance mode is on (defaults to "maintenance")
     maintenance_workload: maintenance
+    release_script: release_script.sh
 
-apps:
-  my-app-staging:
-    # Use the values from the common section above.
-    <<: *common
-  my-app-review:
-    <<: *common
-    # If `match_if_app_name_starts_with` is `true`, then use this config for app names starting with this name,
-    # e.g., "my-app-review-pr123", "my-app-review-anything-goes", etc.
-    match_if_app_name_starts_with: true
-  my-app-production:
-    <<: *common
+    stale_app_image_deployed_days: 5
+    image_retention_days: 7
 
-    # You can also opt out of allowing the use of CPLN_ORG and CPLN_APP env vars per app.
-    # It's recommended to leave this off for production, to avoid any accidents.
+  production: &production
+    <<: *common
     allow_org_override_by_env: false
     allow_app_override_by_env: false
-
-    # Use a different organization for production.
     cpln_org: my-org-production
-    # Allows running the command `cpflow promote-app-from-upstream -a my-app-production`
-    # to promote the staging app to production.
-    upstream: my-app-staging
-  my-app-other:
+    upstream: __APP_PREFIX__-staging
+
+apps:
+  __APP_PREFIX__-staging:
     <<: *common
-    # You can specify a different `Dockerfile` relative to the `.controlplane/` directory (defaults to "Dockerfile").
-    dockerfile: ../some_other/Dockerfile
+
+  __APP_PREFIX__-review:
+    <<: *common
+    match_if_app_name_starts_with: true
+    # Uncomment to automatically initialize and tear down review-app databases:
+    # hooks:
+    #   post_creation: bundle exec rails db:prepare
+    #   pre_deletion: bundle exec rails db:drop
+
+  __APP_PREFIX__-production:
+    <<: *production

data/lib/generator_templates/entrypoint.sh

@@ -4,5 +4,5 @@
 echo " -- Preparing database"
 rails db:prepare
 
-echo " -- Finishing entrypoint.sh, executing '$@'"
+echo " -- Finishing entrypoint.sh, executing command"
 exec "$@"

data/lib/generator_templates/release_script.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+set -e
+
+log() {
+  echo "[$(date +%Y-%m-%d:%H:%M:%S)]: $1"
+}
+
+error_exit() {
+  log "$1" 1>&2
+  exit 1
+}
+
+log "Running release_script.sh per controlplane.yml"
+
+if [ -x ./bin/rails ]; then
+  log "Run DB migrations"
+  SECRET_KEY_BASE="${SECRET_KEY_BASE:-precompile_placeholder}" ./bin/rails db:prepare || \
+    error_exit "Failed to run DB migrations"
+else
+  error_exit "./bin/rails does not exist or is not executable"
+fi
+
+log "Completed release_script.sh per controlplane.yml"

data/lib/generator_templates/templates/app.yml

@@ -2,20 +2,17 @@
 kind: gvc
 name: {{APP_NAME}}
 spec:
-  # For using templates for test apps, put ENV values here, stored in git repo.
-  # Production apps will have values configured manually after app creation.
   env:
     - name: DATABASE_URL
-      # Password does not matter because host postgres.{{APP_NAME}}.cpln.local can only be accessed
-      # locally within CPLN GVC, and postgres running on a CPLN workload is something only for a
-      # test app that lacks persistence.
       value: 'postgres://the_user:the_password@postgres.{{APP_NAME}}.cpln.local:5432/{{APP_NAME}}'
     - name: RAILS_ENV
       value: production
+    - name: RAILS_LOG_TO_STDOUT
+      value: "true"
     - name: RAILS_SERVE_STATIC_FILES
-      value: 'true'
-
-  # Part of standard configuration
+      value: "true"
+    - name: SECRET_KEY_BASE
+      value: cpln://secret/{{APP_SECRETS}}.SECRET_KEY_BASE
   staticPlacement:
     locationLinks:
       - {{APP_LOCATION_LINK}}

data/lib/generator_templates/templates/rails.yml

@@ -6,31 +6,22 @@ spec:
   type: standard
   containers:
     - name: rails
-      # 300m is a good starting place for a test app. You can experiment with CPU configuration
-      # once your app is running.
       cpu: 300m
-      env:
-        - name: LOG_LEVEL
-          value: debug
-      # Inherit other ENV values from GVC
       inheritEnv: true
       image: {{APP_IMAGE_LINK}}
-      # 512 corresponds to a standard 1x dyno type
       memory: 512Mi
       ports:
         - number: 3000
           protocol: http
   defaultOptions:
-    # Start out like this for "test apps"
     autoscaling:
-      # Max of 1 effectively disables autoscaling, so a like a Heroku dyno count of 1
+      minScale: 1
       maxScale: 1
     capacityAI: false
+    timeoutSeconds: 60
   firewallConfig:
     external:
-      # Default to allow public access to Rails server
       inboundAllowCIDR:
         - 0.0.0.0/0
-      # Could configure outbound for more security
       outboundAllowCIDR:
         - 0.0.0.0/0

data/lib/generator_templates_sqlite/controlplane.yml

@@ -0,0 +1,46 @@
+# Keys beginning with "cpln_" correspond to your settings in Control Plane.
+#
+# Generated baseline for a Rails app that uses SQLite in production. This setup
+# keeps `/app/db` and `/app/storage` on persistent volumes.
+
+allow_org_override_by_env: true
+allow_app_override_by_env: true
+
+aliases:
+  common: &common
+    cpln_org: my-org-staging
+    default_location: aws-us-east-2
+    setup_app_templates:
+      - app
+      - db
+      - storage
+      - rails
+
+    one_off_workload: rails
+    app_workloads:
+      - rails
+    additional_workloads: []
+
+    maintenance_workload: maintenance
+    release_script: release_script.sh
+
+    stale_app_image_deployed_days: 5
+    image_retention_days: 7
+
+  production: &production
+    <<: *common
+    allow_org_override_by_env: false
+    allow_app_override_by_env: false
+    cpln_org: my-org-production
+    upstream: __APP_PREFIX__-staging
+
+apps:
+  __APP_PREFIX__-staging:
+    <<: *common
+
+  __APP_PREFIX__-review:
+    <<: *common
+    match_if_app_name_starts_with: true
+
+  __APP_PREFIX__-production:
+    <<: *production

data/lib/generator_templates_sqlite/release_script.sh

@@ -0,0 +1,25 @@
+#!/bin/sh
+set -e
+
+log() {
+  echo "[$(date +%Y-%m-%d:%H:%M:%S)]: $1"
+}
+
+error_exit() {
+  log "$1" 1>&2
+  exit 1
+}
+
+log "Running release_script.sh per controlplane.yml"
+
+mkdir -p db storage
+
+if [ -x ./bin/rails ]; then
+  log "Run DB migrations"
+  SECRET_KEY_BASE="${SECRET_KEY_BASE:-precompile_placeholder}" ./bin/rails db:prepare || \
+    error_exit "Failed to run DB migrations"
+else
+  error_exit "./bin/rails does not exist or is not executable"
+fi
+
+log "Completed release_script.sh per controlplane.yml"

data/lib/generator_templates_sqlite/templates/app.yml

@@ -0,0 +1,15 @@
+kind: gvc
+name: {{APP_NAME}}
+spec:
+  env:
+    - name: RAILS_ENV
+      value: production
+    - name: RAILS_LOG_TO_STDOUT
+      value: "true"
+    - name: RAILS_SERVE_STATIC_FILES
+      value: "true"
+    - name: SECRET_KEY_BASE
+      value: cpln://secret/{{APP_SECRETS}}.SECRET_KEY_BASE
+  staticPlacement:
+    locationLinks:
+      - {{APP_LOCATION_LINK}}

data/lib/generator_templates_sqlite/templates/db.yml

@@ -0,0 +1,6 @@
+kind: volumeset
+name: app-db
+spec:
+  fileSystemType: ext4
+  initialCapacity: 5
+  performanceClass: general-purpose-ssd

data/lib/generator_templates_sqlite/templates/rails.yml

@@ -0,0 +1,32 @@
+kind: workload
+name: rails
+spec:
+  type: standard
+  containers:
+    - name: rails
+      cpu: 300m
+      inheritEnv: true
+      image: {{APP_IMAGE_LINK}}
+      memory: 512Mi
+      ports:
+        - number: 3000
+          protocol: http
+      volumes:
+        - path: /app/db
+          recoveryPolicy: retain
+          uri: cpln://volumeset/app-db
+        - path: /app/storage
+          recoveryPolicy: retain
+          uri: cpln://volumeset/app-storage
+  defaultOptions:
+    autoscaling:
+      minScale: 1
+      maxScale: 1
+    capacityAI: false
+    timeoutSeconds: 60
+  firewallConfig:
+    external:
+      inboundAllowCIDR:
+        - 0.0.0.0/0
+      outboundAllowCIDR:
+        - 0.0.0.0/0

data/lib/generator_templates_sqlite/templates/storage.yml

@@ -0,0 +1,6 @@
+kind: volumeset
+name: app-storage
+spec:
+  fileSystemType: ext4
+  initialCapacity: 10
+  performanceClass: general-purpose-ssd

data/lib/github_flow_templates/.github/actions/cpflow-build-docker-image/action.yml

@@ -0,0 +1,131 @@
+name: Build Docker Image
+description: Builds and pushes the app image for a Control Plane workload
+
+inputs:
+  app_name:
+    description: Name of the application
+    required: true
+  org:
+    description: Control Plane organization name
+    required: true
+  commit:
+    description: Commit SHA to tag the image with
+    required: true
+  pr_number:
+    description: Pull request number for status messaging
+    required: false
+  docker_build_extra_args:
+    description: Optional newline-delimited extra docker build tokens. Use key=value forms like --build-arg=FOO=bar.
+    required: false
+  docker_build_ssh_key:
+    description: Optional private SSH key used for Docker builds that fetch private dependencies with RUN --mount=type=ssh
+    required: false
+  docker_build_ssh_known_hosts:
+    description: Optional SSH known_hosts entries used with docker_build_ssh_key. Defaults to pinned GitHub.com host keys.
+    required: false
+  working_directory:
+    description: Directory containing the app .controlplane config and Docker build context
+    required: false
+    default: "."
+
+runs:
+  using: composite
+  steps:
+    # Keep SSH key handling in a dedicated step so DOCKER_BUILD_SSH_KEY is never present
+    # in the main build step's environment. ACTIONS_STEP_DEBUG=true dumps env before any
+    # command runs, so keeping the key out of env there avoids even admin-triggered exposure.
+    - name: Prepare SSH agent for Docker build
+      if: ${{ inputs.docker_build_ssh_key != '' }}
+      shell: bash
+      env:
+        # Pass the key via env so the file write is a single printf call rather than a
+        # heredoc with a fixed terminator (a heredoc would silently truncate the key if
+        # any line of the key value happened to match the terminator). Scope is still
+        # this step only — the build step below does not receive DOCKER_BUILD_SSH_KEY.
+        DOCKER_BUILD_SSH_KEY: ${{ inputs.docker_build_ssh_key }}
+        DOCKER_BUILD_SSH_KNOWN_HOSTS: ${{ inputs.docker_build_ssh_known_hosts }}
+      run: |
+        set -euo pipefail
+
+        umask 077
+        mkdir -p ~/.ssh
+        chmod 700 ~/.ssh
+
+        if [[ -n "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" ]]; then
+          printf '%s\n' "${DOCKER_BUILD_SSH_KNOWN_HOSTS}" > ~/.ssh/known_hosts
+        else
+          printf '%s\n' \
+            'github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl' \
+            'github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=' \
+            'github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=' \
+            > ~/.ssh/known_hosts
+        fi
+        chmod 600 ~/.ssh/known_hosts
+
+        printf '%s\n' "${DOCKER_BUILD_SSH_KEY}" > ~/.ssh/cpflow_build_key
+        chmod 600 ~/.ssh/cpflow_build_key
+
+    - name: Build Docker image
+      shell: bash
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        COMMIT_SHA: ${{ inputs.commit }}
+        CONTROL_PLANE_ORG: ${{ inputs.org }}
+        DOCKER_BUILD_EXTRA_ARGS: ${{ inputs.docker_build_extra_args }}
+        PR_NUMBER: ${{ inputs.pr_number }}
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
+      run: |
+        set -euo pipefail
+
+        PR_INFO=""
+        docker_build_args=()
+        ssh_agent_started=false
+        build_ssh_prepped=false
+
+        cleanup_build_ssh() {
+          if [[ "${ssh_agent_started}" == "true" ]]; then
+            ssh-agent -k >/dev/null || true
+          fi
+          rm -f "${HOME}/.ssh/cpflow_build_key"
+          # Only remove known_hosts if this action's prep step wrote it. On self-hosted
+          # or reused runners we must not touch a user-managed file we did not create,
+          # so the flag is set inside the same prep-detection branch below.
+          if [[ "${build_ssh_prepped}" == "true" ]]; then
+            rm -f "${HOME}/.ssh/known_hosts"
+          fi
+        }
+        trap cleanup_build_ssh EXIT
+        cd "${WORKING_DIRECTORY}"
+
+        if [[ -n "${PR_NUMBER}" ]]; then
+          PR_INFO=" for PR #${PR_NUMBER}"
+        fi
+
+        if [[ -n "${DOCKER_BUILD_EXTRA_ARGS}" ]]; then
+          while IFS= read -r arg; do
+            arg="${arg%$'\r'}"
+            [[ -n "${arg}" ]] || continue
+
+            if [[ "${arg}" =~ [[:space:]] ]]; then
+              echo "docker_build_extra_args entries must be single docker-build tokens. " \
+                   "Use key=value forms like --build-arg=FOO=bar." >&2
+              exit 1
+            fi
+
+            docker_build_args+=("${arg}")
+          done <<< "${DOCKER_BUILD_EXTRA_ARGS}"
+        fi
+
+        if [[ -f "${HOME}/.ssh/cpflow_build_key" ]]; then
+          # Mark prep-step ownership so cleanup_build_ssh only removes known_hosts
+          # when this action wrote it (see trap above).
+          build_ssh_prepped=true
+          eval "$(ssh-agent -s)"
+          ssh_agent_started=true
+          ssh-add "${HOME}/.ssh/cpflow_build_key"
+          docker_build_args+=("--ssh=default")
+        fi
+
+        echo "🏗️ Building Docker image${PR_INFO} (commit ${COMMIT_SHA})..."
+        cpflow build-image -a "${APP_NAME}" --commit="${COMMIT_SHA}" --org="${CONTROL_PLANE_ORG}" "${docker_build_args[@]}"
+        echo "✅ Docker image build successful${PR_INFO} (commit ${COMMIT_SHA})"

data/lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/action.yml

@@ -0,0 +1,24 @@
+name: Delete Control Plane App
+description: Deletes a Control Plane app and all associated resources
+
+inputs:
+  app_name:
+    description: Name of the application to delete
+    required: true
+  cpln_org:
+    description: Control Plane organization name
+    required: true
+  review_app_prefix:
+    description: Prefix used for review app names
+    required: true
+
+runs:
+  using: composite
+  steps:
+    - name: Delete application
+      shell: bash
+      run: ${{ github.action_path }}/delete-app.sh
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        CPLN_ORG: ${{ inputs.cpln_org }}
+        REVIEW_APP_PREFIX: ${{ inputs.review_app_prefix }}

data/lib/github_flow_templates/.github/actions/cpflow-delete-control-plane-app/delete-app.sh

@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -euo pipefail
+
+: "${APP_NAME:?APP_NAME environment variable is required}"
+: "${CPLN_ORG:?CPLN_ORG environment variable is required}"
+: "${REVIEW_APP_PREFIX:?REVIEW_APP_PREFIX environment variable is required}"
+
+expected_prefix="${REVIEW_APP_PREFIX}-"
+if [[ "$APP_NAME" != "${expected_prefix}"* ]]; then
+  echo "❌ ERROR: refusing to delete an app outside the review app prefix" >&2
+  echo "App name: $APP_NAME" >&2
+  echo "Expected prefix: ${expected_prefix}" >&2
+  exit 1
+fi
+
+echo "🔍 Checking if application exists: $APP_NAME"
+exists_output=""
+set +e
+exists_output="$(cpflow exists -a "$APP_NAME" --org "$CPLN_ORG" 2>&1)"
+exists_status=$?
+set -e
+
+case "$exists_status" in
+  0)
+    ;;
+  3)
+    if [[ -n "$exists_output" ]]; then
+      printf '%s\n' "$exists_output"
+    fi
+    echo "⚠️ Application does not exist: $APP_NAME"
+    exit 0
+    ;;
+  *)
+    echo "❌ ERROR: failed to determine whether application exists: $APP_NAME" >&2
+    if [[ -n "$exists_output" ]]; then
+      printf '%s\n' "$exists_output" >&2
+    fi
+    exit "$exists_status"
+    ;;
+esac
+
+if [[ -n "$exists_output" ]]; then
+  printf '%s\n' "$exists_output"
+fi
+
+echo "🗑️ Deleting application: $APP_NAME"
+cpflow delete -a "$APP_NAME" --org "$CPLN_ORG" --yes
+
+echo "✅ Successfully deleted application: $APP_NAME"

data/lib/github_flow_templates/.github/actions/cpflow-detect-release-phase/action.yml

@@ -0,0 +1,62 @@
+name: Detect release phase support
+description: >-
+  Inspects .controlplane/controlplane.yml for an app and emits `flag=--run-release-phase`
+  when a `release_script:` is configured. Outputs an empty `flag` otherwise.
+
+inputs:
+  app_name:
+    description: cpflow app name to inspect
+    required: true
+  working_directory:
+    description: Directory containing .controlplane/controlplane.yml
+    required: false
+    default: "."
+
+outputs:
+  flag:
+    description: Either `--run-release-phase` or empty
+    value: ${{ steps.detect.outputs.flag }}
+
+runs:
+  using: composite
+  steps:
+    - name: Detect release phase support
+      id: detect
+      shell: bash
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        WORKING_DIRECTORY: ${{ inputs.working_directory }}
+      run: |
+        set -euo pipefail
+        cd "${WORKING_DIRECTORY}"
+
+        release_script="$(ruby - "${APP_NAME}" <<'RUBY'
+        require "yaml"
+
+        app_name = ARGV.fetch(0)
+        data = YAML.safe_load(File.read(".controlplane/controlplane.yml"), aliases: true)
+        apps = data["apps"] || {}
+        app_config = apps[app_name]
+
+        unless app_config
+          app_config = apps.find do |name, config|
+            config.is_a?(Hash) &&
+              config["match_if_app_name_starts_with"] &&
+              app_name.start_with?(name)
+          end&.last
+        end
+
+        unless app_config.is_a?(Hash)
+          warn "Error: app '#{app_name}' is not defined under `apps:` in `.controlplane/controlplane.yml`."
+          exit 1
+        end
+
+        puts app_config["release_script"].to_s
+        RUBY
+        )"
+
+        if [[ -n "${release_script}" ]]; then
+          echo "flag=--run-release-phase" >> "$GITHUB_OUTPUT"
+        else
+          echo "flag=" >> "$GITHUB_OUTPUT"
+        fi